Extension Restricted Access

Extension Basics

Title	Restricted Access
Name	ckanext-restricted-access
Type	Public extension
Description	Middleware layer for restricting access to CKAN API actions and UI paths to sysadmin users
CKAN versions	~2.9, ~2.10, ~2.11 Show details These CKAN Versions are exactely matched: 2.10.0 2.10.1 2.10.2 2.10.3 2.10.4 2.10.5 2.10.6 2.10.7 2.10.8 2.11.0 2.11.1 2.11.2 2.11.3 2.12.0 2.9.0 2.9.1 2.9.10 2.9.11 2.9.2 2.9.3 2.9.4 2.9.5 2.9.6 2.9.7 2.9.8 2.9.9
Download-Url (zip)	https://github.com/DataShades/ckanext-restricted-access.git#egg=ckanext-restricted-access
Download-Url commit date	2024-01-23
Url to repo	https://github.com/DataShades/ckanext-restricted-access
Category	Authentication & Security

Background Infos

Description (long)	Show details The restricted-access extension adds a middleware layer to intercept requests and restrict access to specified CKAN API actions and UI paths. It restricts actions to sysadmin-level users only. The benefit of implementing it as middleware rather than using chained actions or auth functions is that you don’t need to create an override for every action or auth function you want to restrict. Features include restricting API endpoints (with wildcard support using *), restricting UI paths (with regex support), customizable error codes and messages, and optional redirect of anonymous users to login page. Configuration allows specifying lists of restricted API actions and UI paths, custom error handling, and authentication flow customization. Useful for scenarios like protecting harvest source configurations that contain API keys.
Version	0.0.1
Version release date	2024-01-23
Contact name	Salsa Digital
Contakt email	(not set)
Contact Url	(not set)

Installation Guide

Configuration hints	Installation: 1. Activate CKAN virtualenv 2. Clone and install: git clone https://github.com/DataShades/ckanext-restricted-access.git cd ckanext-restricted-access pip install -e . Add to ckan.plugins: restricted_access Configuration: List of API endpoints to restrict to sysadmins (optional, default: None) Use * wildcard to restrict all endpoints starting with prefix ckan.restricted.api_actions = harvest_* user_autocomplete status_show List of UI paths to restrict (optional, default: None) Use regex for complex rules ckan.restricted.ui_paths = ^/user/default$ (?!.login)/user/ Error code for restricted paths (optional, default: 404) Also impacts error message content ckan.restricted.ui_paths.error_code = 403 Custom error message for restricted paths (optional) Default: CKAN core message for error code ckan.restricted.ui_paths.error_message = Not authorized to see this page Redirect anonymous users to login page (optional, default: false) ckan.restricted.redirect_anon_to_login = true Example Use Case: - Public CKAN instance harvests from private instance - Harvest source contains API key of private instance user - harvest_source_list API action exposes full config including API key - Security risk: need to restrict harvest_source_list to sysadmins - Solution: ckan.restricted.api_actions = harvest_* Access Control: - Only sysadmins can access restricted endpoints - Provide api_token of sysadmin to get access - Anonymous users can be redirected to login - Custom error codes/messages for better UX API Wildcards: - harvest_* restricts all actions starting with ‘harvest_’ - user_* restricts all user-related actions - * alone would restrict everything (not recommended) UI Path Regex Examples: - ^/user/default$ - exact match for /user/default - (?!.login)/user/ - all /user/* except those containing ‘login’ - ^/admin/.* - all admin paths - ^/(harvest\|user\|admin)/.* - multiple sections Benefits: - No need to override every action/auth function - Centralized restriction management - Middleware-level security - Flexible wildcard and regex support - Protects sensitive API configurations
Plugins to configure (ckan.ini)	restricted_access
CKAN Settings (ckan.ini)	# ckan.restricted.api_actions = harvest_source_list user_autocomplete status_show # ckan.restricted.ui_actions = /user # ckan.restricted.ui_paths = ^/user/default$ (?!.login)/user/ # ckan.restricted.ui_paths.error_code = 403 # ckan.restricted.ui_paths.error_message = Not authorized to see this page # ckan.restricted.redirect_anon_to_login = true
DB migration to be executed	(not set)

<< back to Extensions